mailing list archives
SQL injection from within a table - is it possible?
From: Peter Bair <peterbair100 () hotmail com>
Date: 7 Jan 2005 00:59:44 -0000
Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action
like through a stored proc, the SQL injection attack takes place?
Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data into
the table directly.
An application has a users name in a table. Is it possible to assign the users name as the SQL injection string,
name from table; exec master.xp_cmdshell "ping me"; --
so when the database is running a stored procedure with a select clause like
select name from table
it really is becomes
select name from table; exec master.xp_cmdshell "ping me" ;-- from table
Of course using the SQL query analyzer on the database table, all this works ok.
But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens.
Is it possible or have I missed the point here?
- SQL injection from within a table - is it possible? Peter Bair (Jan 07)